[SmartcardServices-Users] [Tokend-Dev] PIV Auth with CRL Checks

Bram Cymet bcymet at cbnco.com
Wed Jul 21 12:14:35 PDT 2010 

On 07/21/2010 03:09 PM, Shawn A. Geddis wrote:
> On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
>   
>> Hi,
>>
>> I hope this is the right list to send this to and if it is not please let me know where the right place would be.
>>
>> I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
>>
>> Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
>>
>> Thanks,
>>
>> -- 
>> Bram Cymet
>> Software Developer
>> Canadian Bank Note Co. Ltd.
>> Cell: 613-608-9752
>>     
>
> Bram,
>
> This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System.  I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend.
>
> You will need to explain which method you are using for Client Authentication:
> 	• PubKeyHash		- Does not require that the Certificate itself has not been revoked
> 	• Attribute Matching	- Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against
> 	• PKINIT (SSO to DS)	- Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate.
>
> Which method are you using ?
>
> -Shawn
> __________________________________________________
> Shawn Geddis				  			   geddis at mac.com
> Security Consulting Engineer				   geddis at apple.com
>
> MacOSForge Project Lead:                           Smart Card Services                                                                 
> 	Web:	http://smartcardservices.macosforge.org/
> 	Lists:	http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
>
>   

Hi Shawn,

Thanks for the response. I am using PubKeyHash at the moment. Which
based on what you have written above I guess it is working the way it
should be. So is PKINIT or Attribute Matching or either the Client
Authentication method I should be using? Or can I make it work with
PubKeyHash as well?

Thanks,

-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752

More information about the SmartcardServices-Users mailing list